[RESOLVED]- Rjump issue

We currently have lots and lots of PC’s infected with Ravmon (aka Rjump).

For some odd reason Avast (all up to date etc) is not picking them up.

I read in THIS THREAD about turning up the Standard Shield scan to HIGH. Will this really help?

hi…may be it is a varient…of the same please mail it to avast zipped with password…“virus” to
virus@avast.com
u can use 7z. its free
http://www.7-zip.org/download.html
and one more question how did u come to know ur PC was infected… do u have any other anti-virus??
and about ur standard shield question…
and from my personal experience
turning ur sensitivity to high actual helps in detecting the malware when the malware is present in the current explorer window…[ie:u dont have to point to it or click on it for detection]…it does not serve any other purpose…
and it kinda slows down ur os a bit…noticed it comps with less RAM

Hi GHENick,

You have to disable system restore, else this malware is restored after cleansing.
Disabling System Restore on Windows XP

IMPORTANT NOTES:

* You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
* Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

  1. Click Start.
  2. Right-click the My Computer icon, and then click Properties.
  3. Click the System Restore tab.
  4. Check “Turn off System Restore” or “Turn off System Restore on all drives” as shown in this illustration:
  5. Click Apply.
  6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
  7. Click OK.
  8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

  1. Click Start.
  2. Right-click My Computer, and then click Properties.
  3. Click the System Restore tab.
  4. Uncheck “Turn off System Restore” or “Turn off System Restore on all drives.”
  5. Click Apply, and then click OK.

Starting System Restore From a Command Prompt in Windows XP

  1. Restart your computer or turn the computer on
  2. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a “keyboard error” message. To resolve this, restart the computer and try again.
  3. Select the “Safe Mode with Command Prompt option” and press Enter
  4. Log on to the computer with an administrator account
  5. Type the following at the command prompt and press Enter

%systemroot%\system32\restore\rstrui.exe

  1. Follow the onscreen instructions to restore your computer to an earlier time.

Re-enabling System Restore in Windows XP via the Group Policy Editor

In some cases, System Restore is disabled via the Group Policy Editor. In these cases, System Restore does not show up as a tab under My Computer Properties in Windows XP. If it doesnt show up, the question becomes how do you turn it on in the first place. To re-enable System Restore via the Group Policy Editor, follow these directions:

  1. Start the Group Policy Editor by clicking on Start, Run and typing gpedit.msc in the Run box and pressing Enter
  2. In the left hand column, click on Computer Configuration, Administrative Templates, System, System Restore
  3. In the right hand column, set Turn off System Restore and Turn off Configuration to Disable
  4. Minimize the Group Policy Editor
  5. Right click on My Computer and Select Manage
  6. In the right hand column, double click on Services and Applications, then Services
  7. Find the System Restore Service and double-click to open
  8. On the General tab set [Startup Type] to Automatic using the drop down list
  9. Click the Start button to start the service
  10. Close the Computer Management console
  11. Maximize the Group Policy Editor and set Turn off System Restore and Turn off Configuration to Not Configured
  12. Close Group Policy Editor and reboot the system.
  13. Once the system is rebooted, Click on Start, Right-click on My Computer, click on Properties and the System Restore tab should appear again.
    Disabling System Restore on
    Windows Vista

To turn off Windows Vista System Restore:

  1. Click Start.
  2. Right-click the Computer icon, and then click Properties.
  3. Click on System Protection under the Tasks column on the left side
  4. Click on Continue on the “User Account Control” window that pops up
  5. Under the System Protection tab, find Available Disks
  6. Uncheck the box for any drive you wish to disable system restore on
  7. When turning off System Restore, the existing restore points will be deleted. Click “Turn System Restore Off” on the popup window to do this.
  8. Click OK
  9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

  1. Click Start.
  2. Right-click the Computer icon, and then click Properties.
  3. Click on System Protection under the Tasks column on the left side
  4. Click on Continue on the “User Account Control” window that pops up
  5. Under the System Protection tab, find Available Disks
  6. Place a checkmark in the box for any drive you wish to enable System Restore on
  7. Click OK
    Microsoft Article on Viruses and _Restore Folder

polonus

Thanks for the replies, I should have been more clear in my first post.
It is detected when an “on demand” scan is run, however not “on access”.
We became aware of it as our Webfiltering software was picking up enormous ammounts of attempted hits on a particular site, which turns out to be associated with RJUMP.
Checking out the suspect PC’s revealed RAVMONE running in system memory.

None of the machines here have System restore active, by group policy we switched it off years ago just because of the virus problems.

Do you get only memory detections, or file detections too? If avast! is detecting infected files a boot scan may solve the problem, but if the computers are networked you will have to isolate them to avoid reinfection.

Also check removable drives, especially USB drives.

No memory detections at all, it will quite happily show in the task manager list, several times in fact.
Doing a on demand scan removes it.
And yes, the USB devices are a big issue, Avast doesn’t pick it up from those unless you do an on demand scan too.
Then the USB device infects the computer, again, not detected by avast.
It’s really peculiar, I’ve trusted Avast since day one, it’s never let me down until now.

If you mount the usb drive on an infected computer, isolote this from the network, and execute an on demand scan of all drives (inlcuding the usb device), will this not clean it?

Did you turn on the High sensibility and even in this case avast allows the infection of the computer?
Did you send the file for avast analysis?

Well I haven’t considered sending the file to Avast as it is detected and removed when an on demand scan is done, so I assume that Avast will detect it, but it doesn’t unless an on demand scan is run.

Setting the high sensetivity made no change.

Is this file packed (zip, arj, cab…) in any way?
The on-access scanning is less deep than the thorough on-demand scannings due to performance maintenance.

Did you try antitrojan, antispyware and specially antirootkit tools?

No, none of the above. There’s nothing special about it at all, it’s just R-JUMP (Ravmone).
It’s not a case of it hiding, it’s removed when a scan has been done.
Trouble is, re-infection occurs when a USB storage device (infected elsewhere) is plugged in. Avast! doesn’t detect the initial infection UNTIL an on demand scan is done. Consequently it lingers around.
What I have done at the moment is schedule a scan every Friday lunchtime (I would do it more often but our users complain it affects their systems too much). This gets ruid of any infections, but due to the USB thing, it comes back within a couple of days.
If only Avast! would scan any inserted USB storage device immediately there wouldn’t be this issue.

well if avast does not detect it in the USB drive for some reason…u could consider the option of turning off the autorun(autoplay) option on pen drives…so when the pen drive is inserted u can scan the pen drive on demand and remove the virus from them…and if u plan it out by scaning all the systems during boot time…and removing all the viruses from the pen drives.at the same time…it should be gone for good…
steps to turn off autorun

  1. Click Start > Run
  2. Type “gpedit.msc”
  3. Computer Configuration > Click “Administrative Templates” > Click “System” > Double-Click “Turn off Autoplay”
  4. Setting tab > Check “Enabled” > Select “All drives” from the drop down menu > Apply > Ok
    There are 4 easy steps to making sure that Autoplay (Autorun) is disabled on all your drives including the USB. That would remove the ability of people to insert a USB drive and automatically run a .exe on your computer by using a *.inf file.

and remember after insertin =g the pen drive U SHOULD RIGHT CLICK ON IT AND CHOSE THE “EXPLORE” OPTION…left clicking on it will cause the autorun of the virus…

and the my second thought is that maybe avast is not detecting it cos it may be a new varient.and may have a different signature…so please email it to avast…and explain ur problem to them in the body of the letter …

Use the High sensitivity level of Standard Shield.

I’ve had to turn that (high sensetivity) off because it impacts on the performance on some of our critical systems.
We’ve debated turning off autorun, and we will do it as soon as possible.
We have apporximatley 3000 USb storage devices on our network, getting users to scan them manually is not an easy task!

I will capture a Ravmon sample and send it on, but I anticipate it to be the run-of-the-mill flavour.

I haven’t heard back from the lab.
Do they normally respond in person?
How will I know if the sample I submitted was a new variant or jus tthe old one?

  1. & 2. You would normally only be contacted if they required any further information.

  2. If you place the sample in the User Files section of the avast chest you can periodically scan it within the chest (where it can do no harm) and see if it is detected. If it is a new variant or an old that isn’t detected you won’t be able to directly tell from an avast scan only that it is now detected or not.

Since there is no standardisation in virus/malware naming you can’t compare names directly to tell if it is a new variant or an existing one that isn’t detected. You could however test using a multi engine scanner which is likely to reveal other virus.malware names for the same sample, from this you may be able to tell if it is an old and not new variant.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

So, the USB won’t be automatically scanned when you attach a stick there…

It will be safer.

So you can test the Normal sensitivity level but checking for scanning opened/created/modified files also.
I see no other option: if the user does not run a manual scan, the resident should use resources to be always on.

This is Virus Totals output.

Antivirus Version Update Result
AhnLab-V3 2007.6.12.2 06.12.2007 Win-Trojan/Rajump.3515723
AntiVir 7.4.0.32 06.12.2007 Worm/Rjump.E
Authentium 4.93.8 06.12.2007 no virus found
Avast 4.7.997.0 06.09.2007 Win32:Rjump
AVG 7.5.0.467 06.11.2007 Worm/Generic.RL
BitDefender 7.2 06.12.2007 Worm.RJump.J
CAT-QuickHeal 9.00 06.11.2007 Worm.RJump.a
ClamAV devel-20070416 06.12.2007 Worm.RJump-2
DrWeb 4.33 06.11.2007 Trojan.Iespy
eSafe 7.0.15.0 06.11.2007 Win32.RJump.a
eTrust-Vet 30.7.3713 06.12.2007 Win32/RJump.A
Ewido 4.0 06.11.2007 no virus found
FileAdvisor 1 06.12.2007 no virus found
Fortinet 2.85.0.0 06.12.2007 W32/RJump.A!worm
F-Prot 4.3.2.48 06.11.2007 no virus found
F-Secure 6.70.13030.0 06.12.2007 Worm.Win32.RJump.a
Ikarus T3.1.1.8 06.12.2007 Worm.Win32.RJump.a
Kaspersky 4.0.2.24 06.12.2007 Worm.Win32.RJump.a
McAfee 5050 06.11.2007 W32/RJump.worm
Microsoft 1.2503 06.12.2007 no virus found
NOD32v2 2323 06.11.2007 Win32/RJump.A
Norman 5.80.02 06.11.2007 no virus found
Panda 9.0.0.4 06.12.2007 Bck/Simut.A
Prevx1 V2 06.12.2007 Trojan.RavMonE
Sophos 4.18.0 06.12.2007 W32/RJump-H
Sunbelt 2.2.907.0 06.09.2007 VIPRE.Suspicious
Symantec 10 06.12.2007 W32.Rajump
TheHacker 6.1.6.132 06.11.2007 W32/RJump.a
VBA32 3.12.0.1 06.11.2007 Worm.Win32.RJump.a
VirusBuster 4.3.23:9 06.11.2007 Worm.RJump.A
Webwasher-Gateway 6.0.1 06.12.2007 Worm.Rjump.E

Jotti’s report…

File: RavMonE.exe
Status: INFECTED/MALWARE
MD5 ff8f61f7d137155c3d3c1f0e28b9bff4
Packers detected: PY2EXE

Scanner results
Scan taken on 12 Jun 2007 07:39:50 (GMT)
A-Squared Found nothing
AntiVir Found WORM/Rjump.E
ArcaVir Found Worm.Rjump.A
Avast Found Win32:Rjump
AVG Antivirus Found Worm/Generic.RL
BitDefender Found Worm.RJump.J
ClamAV Found Worm.RJump-2
Dr.Web Found Trojan.Iespy
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Worm.Win32.RJump.a
Fortinet Found W32/RJump.A!worm
Kaspersky Anti-Virus Found Worm.Win32.RJump.a
NOD32 Found Win32/RJump.A
Norman Virus Control Found nothing
Panda Antivirus Found Bck/Simut.A
Rising Antivirus Found Worm.Snake.a
VirusBuster Found Worm.RJump.A
VBA32 Found Worm.Win32.RJump.a

As you can see Avast picks it up as RJUMP, our version of Avast is up-to-date in all aspects, but still does not detect it on access. I even copied it to my desktop without avast picking up on it.

What could possibly be wrong?

Which are your Standard Shield configurations at this time?
Are you scanning the opened/created/modified files?

As you can see Avast picks it up as RJUMP, our version of Avast is up-to-date in all aspects, but still does not detect it on access. I even copied it to my desktop without avast picking up on it.

I’m as baffled as you are as to why this isn’t being picked up on-access, you changed the sensitivity to High and I presume that ‘did’ pick it up on access ?

So why it shouldn’t on normal is strange as the file type .exe should be scanned even on Normal.

Unfortunately I don’t think submitting the sample to the ‘lab’ will help you as they would be looking to see if it is a virus and including it in the signatures (if it were a new variant), unless you specifically said in the submission what is happening (not detected on access, but detected on-demand) and give a link to this topic, not just submitting the sample in isolation.

It may be worth an email to support @ avast dot com explaining the problem, with link to this topic as under normal circumstances I would expect it to be scanned on-access (creation/modification) by the standard shield. As Tech mentions if you customised these settings that could be why.

I would also suggest that you confirm that avast is scanning .exe files, etc. and detecting if infected, http://www.eicar.com/anti_virus_test_file.htm. Download any of the .exe or .com versions of the test file and see if the standard shield alerts, you would need to pause the web shield or that is likely to alert or download using the https: link which doesn’t get scanned by web shield.